We are expecting a tsunami of privacy enforcement. News of the NSA's global surveillance activities, coupled with the pending investigations of Google in Europe and the ongoing interest in updating privacy laws on both sides of the Atlantic, has created a perfect storm.

EPIC’s Marc Rotenberg

As a result, “We are expecting a tsunami of privacy enforcement,” the Electronic Privacy and Information Center’s Marc Rotenberg told The Privacy Advisor. "News of the NSA's global surveillance activities, coupled with the pending investigations of Google in Europe and the ongoing interest in updating privacy laws on both sides of the Atlantic has created a perfect storm."

CPOs working on the Continent agree. To a point.

“I don’t know whether I would call it an enforcement tsunami, but he made a good point that there’s a stricter focus on enforcement and less focus on cooperation and letting things go,” said Siemens’ Florian Thoma, CIPP/US, CIPP/E, CIPM.

Stephen Deadman, group privacy officer and head of legal for privacy, security and content standards at Vodafone Group, agrees with Thoma that “tsunami” may be too strong of a word. “I think it’s more of a rising tide,” he said. “A gradual increase in enforcement action from regulators.”

Deadman said tsunamis are too expensive.

“What I think is happening and will continue to happen unless something changes in terms of funding is that they are going to have to be very strategic in enforcement activities,” he said. “Never before has the issue been so high profile for politicians and in board rooms that they now think, ‘How do I use my resources most effectively?’ To my mind, there’s nothing that’s going to change that in the near future. I don’t see how the tsunami is going to happen because I don’t know where the money for it is going to come from.”

While international cooperation is certainly an increasing trend, Thoma notes DPAs are not only working together, they’re getting tougher, too.

I think that this is overall a sign of some of the authorities turning more toward enforcement and less toward discussion.

Siemens’ Florian Thoma

Thoma said the writing was on the proverbial wall two years ago: Dutch DPA Jacob Kohnstamm said at a gathering of DPAs that DPAs shouldn’t just be good friends with companies, but they should “bark and bite, and I think that this is overall a sign of some of the authorities turning more toward enforcement and less toward discussion,” Thoma said.

European Data Protection Supervisor Peter Hustinx confirms this. While he agrees that terminology is important and “tsunami” may be a bit strong—he suggests “flurry” may be a more accurate description—he says it’s more than just international cooperation, though that is also on the rise.

“There is a general sense that enforcement should be increased, and this is because these activities are having more impact and also because, perhaps, there has been too much emphasis on theory and not enough on practice.”

Scott Hutchinson, spokesman for Canadian Privacy Commissioner Jennifer Stoddart, said based on experience and conversations with other DPAs, “there appears to be, generally, an increasing interest in enforcement actions.”

Such enforcement powers are “critical to DPA success,” Hutchinson told The Privacy Advisor.

Hustinx said while increased enforcement won’t only affect the big brands, DPAs will prioritize major wrongdoing or structural problems according to appropriate needs. However, they may make examples of middle or small-sized companies to send a message to industry, he said.

Strength in Numbers

Citing announcements from regulators in France, Spain, the UK and others on Google’s privacy policy, Hustinx said more will come. He also notes other recent collaborations between DPAs, including the Dutch and Canadian authorities coming together over WhatsApp and most recently the collaboration between Canadian and Irish forces over Facebook.

“This is part of the gradual coming of age. It’s simply the privacy frameworks becoming more effective in a very digital world. And the European review is going to make it ever more true because part of that review is also allowing for much more robust enforcement, stronger rights, and stronger responsibilities with enforcement, including big fines,” Hustinx said.

Christopher Kuner, Wilson Sonsini senior of counsel, said DPAs are certainly becoming more strategic in the ways they enforce against large and multinational companies.

“Enforcement is becoming more globalized and regulators are pooling their resources and finding there’s strength in numbers,” Kuner said. “Individually, they don’t have much enforcement power, but if they pool their powers, it’s much stronger. I think we’ll see more and more of that.”

Noting that recent NSA revelations packed a punch, Thoma, who lives in Germany, notes that over the couple of years there’s been “an increased wish of DPAs to join forces, particularly on enforcement actions because they felt rather weak and rather alone and have realized that data flows span the globe and that, for example, a local authority in any of the German states or particular smaller member states don’t have the power and the possibility to bring enforcement actions against, in particular, those Internet giants like Amazon, Google, Facebook, Apple and others who collect data.”

“We have reached a point where there is almost universal recognition that enforcement cooperation is essential to protecting privacy rights around the globe, and increasingly, we are finding ways to work together,” said Hutchinson. “In a world of rapidly expanding privacy challenges and limited resources, coordinating efforts is an effective way to ensure that people’s privacy rights are respected.”

Hutchinson added that Stoddart’s office recently took part in the Global Privacy Enforcement Network’s privacy sweep, in which 19 privacy enforcement authorities studied the privacy policies of a number of popular websites. The results of that sweep will be announced in coming weeks, he said.

Should Small Companies Be Afraid?

Siemens’ Thoma said he doesn’t believe small startups need to worry about DPAs knocking on their doors just yet.

The conclusion is to prepare. Accountability is required, and the big and small should prepare.

EDPS Peter Hustinx

“I think the focus will first of all be on the big ones, because the smaller ones somewhat have a chance to fly below the radar. The reason why we see this increased level of enforcement is first of all European regulators feel that they must do something to limit the amount of data collected, and not only limit the use of it, and that’s why they bundle forces, as we’ve seen with Google,” he said. “I think in Europe, many of those startup kinds of businesses are less well known, or maybe less used by Europeans, and are not so much perceived as being a threat to European-style privacy and the privacy of European citizens as Google and Facebook.”

Deadman agrees. Vodafone, a global company, has always sensed “that we’ve always been a much bigger target for investigations and enforcement arms for regulators for a number of different factors, but mainly because we’re a big-brand name, so I think that’s what’s happening with regulators with small budgets. They are recognizing that if they are picking on faces not well understood by consumers, they are going to find it harder to justify how they are using their resources.”

Deadman said the corner shop and the grocery store don’t have much to fear, but if you’re an Internet-based company that can scale from 20 users to 10 million users in a matter of weeks, “it’s going to catch attention of the regulators, and we’re seeing that in their recent behavior.”

Canada’s Hutchinson said when data regulators take action against big companies, “it gets peoples’ attention, but it doesn’t mean we are not looking at smaller companies, too. For example, our office along with the Dutch Data Protection Authority earlier this year to complete a joint investigation of WhatsApp.”

0 Comments

Related

Google has been given leave to appeal a decision that users can claim damages for a breach of the UK Data Protection Act (DPA). The Supreme Court ruled on Tuesday that the Google v. Vidal-Hall case, referred to by IAPP VP of Research and Education Omer Tene as the "European Privacy Judicial Decision of a Decade," can go back to court yet again
Read more

Given what they saw as a lack of regulations to protect consumers against potential harms as a result of increasingly pervasive and surreptitious online tracking, college buddies Chandler Givens and Ryan Flach have decided to do something about it themselves. Last week, they launched TrackOFF, software designed to allow consumers to combat digital tracking from their own computers.
Read more

Next week, Ellen Giblin, CIPP/C, CIPP/G, CIPP/US, will start the job she’s been waiting for most of her adult life. But the fact that she’s landed a position there is in no way accidental. She’s been very strategic about each line she’s added to her resume.
Read more

Whether you are a privacy professional practicing in the EU or not, you’ve probably been watching the headlines this summer about the EU’s General Data Protection Regulation (GDPR) and the ongoing trilogue process. After all, the GDPR is expected to have far-reaching implications for organizations—and anyone who works in privacy—well beyond the EU’s borders. It’s probably not a surprise, then, that the IAPP Europe Data Protection Congress 2015 will feature keynotes and educational sessions to help you prepare for the changes the GDPR is sure to bring with it.
Read more

In June, mobile identity company TeleSign commissioned a study on consumers’ concerns about online security and their exposure to breaches. It found that, amidst increasing reports of well publicized breaches, 80 percent of consumers are worried about their online security and 40 percent have experienced a security incident within the past year. It also found that 73 percent of online accounts use the duplicated passwords and more than half of consumers use five or fewer passwords across their entire online life. Given statistics like those, TeleSign has launched a campaign aimed at educating consumers on what it says is the future of mobile identity, two-factor authentication.
Read more

Tags

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.Learn more

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.